Fedora has issued an advisory today (September 15): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TVI7PQ5NTNFOL4EQTLNZOPGCDLKJKXST/ The issues are fixed upstream in 0.18.4: https://www.libraw.org/news/libraw-0-18-4 Mageia 6 is also affected and Mageia 5 probably is too.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Fedora backported a patch for this to 0.17.x: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Y2VDFNBQS7MWQWHMKFKUYAA6XKYHBV3J/
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
It looks like other things that embed this code are also affected, like we've seen in the past. Fedora lists dcraw, libkdcraw, and rawtherapee as examples, and has issued an advisory for rawtherapee: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CMHXYQOFX5OQSBWNNMCVGJLYXTZHXYTM/
Work is underway by ns80. libraw-0.18.4-1.mga7 uploaded for Cauldron. libraw-0.18.4-1.mga6.src.rpm built for Mageia 6: libraw-tools-0.18.4-1.mga6 libraw16-0.18.4-1.mga6 libraw_r16-0.18.4-1.mga6 libraw-devel-0.18.4-1.mga6
CC: (none) => nicolas.salguero
Suggested advisory: ======================== The updated packages fix security vulnerabilities: There is a floating point exception in the kodak_radc_load_raw function in dcraw_common.cpp in LibRaw 0.18.2. It will lead to a remote denial of service attack. (CVE-2017-13735) A Stack-based Buffer Overflow was discovered in xtrans_interpolate in internal/dcraw_common.cpp in LibRaw before 0.18.3. It could allow a remote denial of service or code execution attack. (CVE-2017-14265) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13735 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14265 ======================== Updated packages in 5/core/updates_testing: ======================== libraw-tools-0.16.2-1.3.mga5 lib(64)raw10-0.16.2-1.3.mga5 lib(64)raw_r10-0.16.2-1.3.mga5 lib(64)raw-devel-0.16.2-1.3.mga5 from SRPMS: libraw-0.16.2-1.3.mga5.src.rpm Updated packages in 6/core/updates_testing: ======================== libraw-tools-0.18.4-1.mga6 lib(64)raw16-0.18.4-1.mga6 lib(64)raw_r16-0.18.4-1.mga6 lib(64)raw-devel-0.18.4-1.mga6 from SRPMS: libraw-0.18.4-1.mga6.src.rpm
Hi, Regarding the other software listed in comment 3, do we create separate bug reports for them or do we use this one? Best regards, Nico.
(In reply to Nicolas Salguero from comment #6) > Hi, > > Regarding the other software listed in comment 3, do we create separate bug > reports for them or do we use this one? > > Best regards, > > Nico. Separate bug reports would be fine, then you can assign this one to QA. Thanks.
So I did it.
Version: Cauldron => 6Assignee: pkg-bugs => qa-bugsWhiteboard: MGA6TOO, MGA5TOO => MGA5TOOStatus: NEW => ASSIGNED
Blocks: (none) => 21755
Blocks: (none) => 21756
Blocks: (none) => 21757
Pointers Bug 17314 comments 1, 2|3. https://bugs.mageia.org/show_bug.cgi?id=21004#c3
CC: (none) => lewyssmith
Fedora has issued advisories on September 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4OTWHVODHFROYHMCNRUAZHNZDBH7YSPO/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OPKCTEX7MK4ILYKIBQBK3VBM5U5CRJKK/ 0.18.5 fixes an additional issue, CVE-2017-14348.
CC: (none) => qa-bugsSummary: libraw new security issues CVE-2017-13735 and CVE-2017-14265 => libraw new security issues CVE-2017-13735, CVE-2017-14265, CVE-2017-14348Assignee: qa-bugs => pkg-bugs
openSUSE has issued an advisory for CVE-2017-14348 on September 24: https://lists.opensuse.org/opensuse-updates/2017-09/msg00099.html
Suggested advisory: ======================== The updated packages fix security vulnerabilities: There is a floating point exception in the kodak_radc_load_raw function in dcraw_common.cpp in LibRaw 0.18.2. It will lead to a remote denial of service attack. (CVE-2017-13735) A Stack-based Buffer Overflow was discovered in xtrans_interpolate in internal/dcraw_common.cpp in LibRaw before 0.18.3. It could allow a remote denial of service or code execution attack. (CVE-2017-14265) LibRaw before 0.18.4 has a heap-based Buffer Overflow in the processCanonCameraInfo function via a crafted file. (CVE-2017-14348) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13735 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14265 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14348 ======================== Updated packages in 5/core/updates_testing: ======================== libraw-tools-0.16.2-1.4.mga5 lib(64)raw10-0.16.2-1.4.mga5 lib(64)raw_r10-0.16.2-1.4.mga5 lib(64)raw-devel-0.16.2-1.4.mga5 from SRPMS: libraw-0.16.2-1.4.mga5.src.rpm Updated packages in 6/core/updates_testing: ======================== libraw-tools-0.18.5-1.mga6 lib(64)raw16-0.18.5-1.mga6 lib(64)raw_r16-0.18.5-1.mga6 lib(64)raw-devel-0.18.5-1.mga6 from SRPMS: libraw-0.18.5-1.mga6.src.rpm
Assignee: pkg-bugs => qa-bugs
MGA5-32 on Asus A6000VM Xfce No installation issues. Repeated tests as in bug 21004: $ raw-identify P7212389.ORF P7212389.ORF is a Olympus E-500 image. $ nomacs P7212389.ORF libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile new suffix: .jpg *.jpeg) I could save the image... is OK as far as I go.
CC: (none) => herman.viaeneWhiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
MGA6-32 on Asus A6000VM MATE No installation issues Same tests on same files as in Comment 13: $ raw-identify P7212389.ORF P7212389.ORF is a Olympus E-500 image. but: $ nomacs P7212389.ORF Gtk-Message: Failed to load module "canberra-gtk-module" [INFO] Hi there [WARNING] QObject::connect: Cannot connect (null)::runPlugin(DkViewPortInterface*, bool) to nmc::DkControlWidget::setPluginWidget(DkViewPortInterface*, bool) [WARNING] QObject::connect: Cannot connect (null)::applyPluginChanges(bool) to nmc::DkControlWidget::applyPluginChanges(bool) [WARNING] QObject::connect: Cannot connect (null)::runPlugin(DkPluginContainer*, const QString&) to nmc::DkViewPort::applyPlugin(DkPluginContainer*, const QString&) [INFO] CSS loaded from: ":/nomacs/stylesheet.css" [INFO] local client created in: 113 ms [INFO] LAN client created in: 0 ms [INFO] Initialization takes: 887 ms ORF IMAGE ORF IMAGE ORF IMAGE [INFO] "/mnt/sda6/tester5/Afbeeldingen/P7212389.ORF" loaded in 16 ms ORF IMAGE ORF IMAGE and the resulting picture displayed is only 160 by 120 pixels, where it is really 3360 by 2504 saving as jpeg also at the tiny resolution. then i tried$ strace -o ~/Documenten/libraw.txt gimp Gtk-Message: Failed to load module "canberra-gtk-module" (gimp:9169): GLib-GObject-WARNING **: g_object_set_valist: object class 'GeglConfig' has no property named 'cache-size' Gtk-Message: Failed to load module "canberra-gtk-module" ORF IMAGE and opened the ORF file from gimp: picture shows at correct resolution and trace shows call to libraw. I found no way in nomacs where I could handle the resolution of the ORF file (apart from reducing). So I guess this is not libraw's problem.
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK
Advisory from comment 12, references from various earlier comments.
Keywords: (none) => advisory
@Herman, re comment 14 To get rid of those annoying Gtk-Message: Failed to load module "canberra-gtk-module" messages try: $ sudo urpmi libcanberra-gtk0
CC: (none) => tarazed25
I shall take this on for 64-bit systems, mga5 and mga6. There are some raw files left over from rawtherapee.
Testing on x86_64 for mga6 Some documentation on usage of libraw at https://www.libraw.org/docs/Samples-LibRaw.html. Taking Herman's lead on nomacs. Common image-viewers like eom and display cannot cope with raw images. There are tools related to dcraw which look to be beyond the scope of QA (unless somebody is already familiar with them). PoC tests --------------------------------------------------- CVE-2017-13735 https://bugzilla.redhat.com/show_bug.cgi?id=1483988 Download POC1.rar $ unrar e POC1.rar $ multirender_test POC1 Processing file POC1 Floating point exception (core dumped) --------------------------------------------------- CVE-2017-14265 Test file needs ASAN analysis of output - leaving it alone. --------------------------------------------------- CVE-2017-14348 This looks like another ASAN no-go. --------------------------------------------------- The updates installed cleanly. - lib64raw16-0.18.5-1.mga6.x86_64 - lib64raw_r16-0.18.5-1.mga6.x86_64 - libraw-tools-0.18.5-1.mga6.x86_64 PoC test --------------------------------------------------- CVE-2017-13735 $ multirender_test POC1 Processing file POC1 Cannot unpack POC1: Input/output error That looks like a good result. --------------------------------------------------- Used tools to test the libraries. $ urpmq --requires nomacs ....... libraw.so.16()(64bit) ....... $ raw-identify RAW_FUJI_X-T10.RAF RAW_FUJI_X-T10.RAF is a Fujifilm X-T10 image. $ raw-identify RAW_NIKON_E5700_SRGB.NEF RAW_NIKON_E5700_SRGB.NEF is a Nikon E5700 image. $ raw-identify 'KODAK C603 C643 Format 420 YRGB0001.RAW' KODAK C603 C643 Format 420 YRGB0001.RAW is a Kodak C603 image. $ nomacs RAW_OLYMPUS_E5.ORF [INFO] Hi there [WARNING] QObject::connect: Cannot connect (null)::runPlugin(DkViewPortInterface*, bool) to nmc::DkControlWidget::setPluginWidget(DkViewPortInterface*, bool) [WARNING] QObject::connect: Cannot connect (null)::applyPluginChanges(bool) to nmc::DkControlWidget::applyPluginChanges(bool) [WARNING] QObject::connect: Cannot connect (null)::runPlugin(DkPluginContainer*, const QString&) to nmc::DkViewPort::applyPlugin(DkPluginContainer*, const QString&) [INFO] local client created in: 4 ms [INFO] CSS loaded from: ":/nomacs/stylesheet.css" [INFO] LAN client created in: 0 ms ORF IMAGE [INFO] Initialization takes: 75 ms ORF IMAGE ORF IMAGE ORF IMAGE ORF IMAGE ORF IMAGE [INFO] "/home/lcl/qa/raw/RAW_OLYMPUS_E5.ORF" loaded in 60 ms Saved the displayed file as RAW_NIKON_D3.png which showed in eom as a perfect copy of the original. Note that the nomacs display was at a diminished size but the saved conversion retained the original full resolution. The nomacs display can be swtched to fullscreen to take advantage of the high resolution. First click the 'show at 100%' icon then hit 'fullscreen'. Tried various functions of the interface (probably not relevant) and scanned through the raw image collection. $ strace nomacs RAW_KODAK_DCSPRO.DCR 2> trace Saved the image as a JPEG at 100% quality. $ cat trace | grep raw open("/lib64/libraw.so.16", O_RDONLY|O_CLOEXEC) = 3 open("/usr/lib64/libraw.so.16.0.0", O_RDONLY) = 3 open("/usr/lib64/libraw.so.16.0.0", O_RDONLY) = 15 getcwd("/home/lcl/qa/raw", 4096) = 17 This update is fine for 64-bits.
Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK MGA6-64-OK
Testing on x86_64 for mga5 Installed nomacs and libraw-tools. PoC test --------------------------------------------------- CVE-2017-13735 https://bugzilla.redhat.com/show_bug.cgi?id=1483988 $ multirender_test POC1 Processing file POC1 Floating point exception No core dump this time. --------------------------------------------------- Installed updates: libraw-tools-0.16.2-1.4.mga5 lib64raw_r10-0.16.2-1.4.mga5 lib64raw10-0.16.2-1.4.mga5 PoC test --------------------------------------------------- CVE-2017-13735 $ multirender_test POC1 Processing file POC1 Cannot unpack POC1: Input/output error --------------------------------------------------- Viewed and manipulated raw camera images. $ raw-identify RAW_FUJI_S5PRO_V106.RAF RAW_FUJI_S5PRO_V106.RAF is a Fujifilm S5Pro image. $ raw-identify 'KODAK C603 C643 FORMAT 422 CCDI0001.RAW' KODAK C603 C643 FORMAT 422 CCDI0001.RAW is a Kodak C603 image. $ nomacs RAW_KODAK_DC120.KDC libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile The image displayed entirely in shades of green. Opened RAW_CANON_D60_ARGB.CRW - it looked fine. RAW_NIKON_D3.NEF next and that displayed OK in a small frame. Set scale to 1:1 and used the PIP inset and its cursor to track around in the image. Saved image in JPEG format with image quality 100%. Log: Warning: Exif tag Exif.NikonPreview.JPEGInterchangeFormatLength not encoded Warning: Exif IFD NikonPreview not encoded Warning: Exif tag Exif.Photo.MakerNote not encoded Warning: Exif tag Exif.NikonSi02xx.0x027a not encoded I could save the image... Viewed other raw images in the collection using the arrow icons. Exited and viewed the saved image in eom. No problem. OK for 64-bits.
Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK MGA6-64-OK => MGA5TOO MGA5-32-OK MGA6-32-OK MGA6-64-OK MGA5-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0357.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
0.18.5 also fixed CVE-2017-14608. openSUSE has issued an advisory for this on October 25: https://lists.opensuse.org/opensuse-updates/2017-10/msg00089.html We probably didn't backport that fix to Mageia 5, so I'll file a new bug.
*** Bug 21940 has been marked as a duplicate of this bug. ***